Posted by: Ken Harthun
secrurity practice, Zero-day vulnerability
Well, Microsoft continues to keep us security professionals busy — and employed — which is both good and bad. Good, in that it keeps us employed; bad, in that puts people at risk. To wit:
Microsoft Security Advisory (2286198)
Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.
This is a bad one. Really bad one. It apparently goes all the way back to NT–maybe back to the beginning of Windows–though Microsoft is only reporting that it affects currently supported versions. Here’s how it can be exploited:
An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the victim system.
An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents).
Steve Gibson in Security Now! Episode 258 says this:
The problem is that there isn’t anything clearly – there’s no real good solution for this. Microsoft has posted a Fix it which makes some changes to the registry and also shows what manual changes can be made. The problem is that the fix that is required, until we actually get the problem repaired, is that all of your link, all of your shortcuts stop being displayed, and you get sort of the generic white rectangle . . . instead of the normal link that you’re expected to see. And many of the icons that people are familiar with are actually shortcuts that they’re not really aware of. So they don’t always have that little curly arrow down in the lower left-hand corner, which is what you get when you have, like, a manual shortcut created to a file somewhere. It turns out that Windows uses these pervasively to sort of glue things together. So if people do this and then reboot the system as is necessary, suddenly you’ve got your, like, windows and control panel and all kinds of things are covered with these white rectangles. And now it’s not even clear that that solves the problem.
Stay tuned. There will be much more on this front in the coming week.